Windows storage accessor

Author: chlowell

extensions/accessor/storage_test.go

@@ -0,0 +1,84 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+// TODO: add other platforms
+//go:build windows
+// +build windows
+
+package accessor
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sync"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+const msalextManualTest = "MSALEXT_MANUAL_TEST"
+
+var (
+	ctx = context.Background()
+
+	// the Windows implementation doesn't require user interaction
+	runTests = runtime.GOOS == "windows" || os.Getenv(msalextManualTest) != ""
+)
+
+func TestRace(t *testing.T) {
+	if !runTests {
+		t.Skipf("set %s to run this test", msalextManualTest)
+	}
+	p := filepath.Join(t.TempDir(), t.Name())
+	a, err := New(p)
+	require.NoError(t, err)
+
+	actual, err := a.Read(ctx)
+	require.NoError(t, err)
+	require.Empty(t, actual)
+
+	expected := "expected"
+	wg := sync.WaitGroup{}
+	for i := 0; i < 20; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			if !t.Failed() {
+				actual := []byte{}
+				err := a.Write(ctx, []byte(expected))
+				if err == nil {
+					actual, err = a.Read(ctx)
+				}
+				if err != nil {
+					t.Error(err)
+				} else if a := string(actual); a != expected {
+					t.Errorf("expected %q, got %q", expected, a)
+				}
+			}
+		}()
+	}
+	wg.Wait()
+}
+
+func TestRoundTrip(t *testing.T) {
+	if !runTests {
+		t.Skipf("set %s to run this test", msalextManualTest)
+	}
+	p := filepath.Join(t.TempDir(), t.Name())
+	a, err := New(p)
+	require.NoError(t, err)
+
+	actual, err := a.Read(ctx)
+	require.NoError(t, err)
+	require.Empty(t, actual)
+
+	expected := []byte("expected")
+	err = a.Write(ctx, expected)
+	require.NoError(t, err)
+
+	actual, err = a.Read(ctx)
+	require.NoError(t, err)
+	require.Equal(t, expected, actual)
+}

extensions/accessor/windows.go

@@ -0,0 +1,108 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+//go:build windows
+// +build windows
+
+package accessor
+
+import (
+	"context"
+	"errors"
+	"math"
+	"os"
+	"path/filepath"
+	"sync"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+// Storage stores data in a file encrypted by the Windows data protection API.
+type Storage struct {
+	m *sync.RWMutex
+	p string
+}
+
+// New is the constructor for Storage. "p" is the path to the file in which to store data.
+func New(p string) (*Storage, error) {
+	return &Storage{m: &sync.RWMutex{}, p: p}, nil
+}
+
+// Read returns data from the file. If the file doesn't exist, Read returns a nil slice and error.
+func (s *Storage) Read(context.Context) ([]byte, error) {
+	s.m.RLock()
+	defer s.m.RUnlock()
+
+	data, err := os.ReadFile(s.p)
+	if errors.Is(err, os.ErrNotExist) {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	if len(data) > 0 {
+		data, err = dpapi(decrypt, data)
+	}
+	return data, err
+}
+
+// Write stores data in the file, creating the file if it doesn't exist.
+func (s *Storage) Write(ctx context.Context, data []byte) error {
+	s.m.Lock()
+	defer s.m.Unlock()
+
+	data, err := dpapi(encrypt, data)
+	if err != nil {
+		return err
+	}
+	err = os.WriteFile(s.p, data, 0600)
+	if errors.Is(err, os.ErrNotExist) {
+		dir := filepath.Dir(s.p)
+		if err = os.MkdirAll(dir, 0700); err == nil {
+			err = os.WriteFile(s.p, data, 0600)
+		}
+	}
+	return err
+}
+
+type operation int
+
+const (
+	decrypt operation = iota
+	encrypt
+)
+
+func dpapi(op operation, data []byte) (result []byte, err error) {
+	out := windows.DataBlob{}
+	defer func() {
+		if out.Data != nil {
+			_, e := windows.LocalFree(windows.Handle(unsafe.Pointer(out.Data)))
+			// prefer returning DPAPI errors because they're more interesting than LocalFree errors
+			if e != nil && err == nil {
+				err = e
+			}
+		}
+	}()
+	in := windows.DataBlob{Data: &data[0], Size: uint32(len(data))}
+	switch op {
+	case decrypt:
+		// https://learn.microsoft.com/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata
+		err = windows.CryptUnprotectData(&in, nil, nil, 0, nil, 1, &out)
+	case encrypt:
+		// https://learn.microsoft.com/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata
+		err = windows.CryptProtectData(&in, nil, nil, 0, nil, 1, &out)
+	default:
+		err = errors.New("invalid operation")
+	}
+	if err == nil {
+		// cast out.Data to a pointer to an arbitrarily long array, then slice the array and copy out.Size bytes from the
+		// slice to result. This avoids allocating memory for a throwaway buffer but imposes a max size on the data because
+		// the fictive array backing the slice can't be larger than the address space or the maximum value of an int. Those
+		// values vary by platform, so the array size here is a compromise for 32-bit systems and allows ~2 GB of data.
+		result = make([]byte, out.Size)
+		source := (*[math.MaxInt32 - 1]byte)(unsafe.Pointer(out.Data))[:]
+		copy(result, source)
+	}
+	return result, err
+}

extensions/accessor/windows_test.go

@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+//go:build windows
+// +build windows
+
+package accessor
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestWriteEncryption(t *testing.T) {
+	p := filepath.Join(t.TempDir(), t.Name())
+	a, err := New(p)
+	require.NoError(t, err)
+
+	data := []byte(`{"key":"value"}`)
+	require.NoError(t, json.Unmarshal(data, &struct{}{}), "test bug: data should unmarshal")
+	require.NoError(t, a.Write(ctx, data))
+
+	// Write should have encrypted data before writing it to the file
+	actual, err := os.ReadFile(p)
+	require.NoError(t, err)
+	require.NotEmpty(t, actual)
+	err = json.Unmarshal(actual, &struct{}{})
+	require.Error(t, err, "Unmarshal should fail because the file's content, being encrypted, isn't JSON")
+}

go.mod

@@ -5,6 +5,7 @@ go 1.18
 require (
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0
 	github.com/stretchr/testify v1.8.2
+	golang.org/x/sys v0.8.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 )
 
@@ -17,6 +18,5 @@ require (
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -26,8 +26,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=